Fixed content storage within a partitioned content platform using namespaces, with versioning
Archive cluster management is enhanced by logically partitioning a physical cluster that comprises a redundant array of independent nodes. Using a web-based interface, an administrator defines one or more “tenants” within the archive cluster, wherein a tenant has a set of attributes: namespaces, administrative accounts, data access accounts, and a permission mask. A namespace is a logical partition of the cluster that serves as a collection of objects typically associated with at least one defined application. Each namespace has a private file system with respect to other namespaces. This approach enables a user to segregate cluster data into logical partitions. Using the administrative interface, a namespace associated with a given tenant is selectively configured without affecting a configuration of at least one other namespace in the set of namespaces. One configuration option is “versioning,” by which an administrator can elect to enable multiple versions of a same data object to be stored in association with a given namespace. Each version of the data object has associated therewith a time of storage attribute that uniquely identifies the version in the archive. Once versioning is enabled for a namespace, the administrator can set a configuration parameter identifying a time period for maintaining a version in the archive cluster, as well as a parameter for a time period for maintaining a version of the data object on a replica associated with the archive cluster. A current version of the data object is freely accessible in the archive, and a prior version may be browsed via an API. Preferably, versioning is disabled for a data object under retention.
This application is related to application:
Ser. No. 11/638,252, filed Dec. 13, 2006, titled “Policy-based management of a redundant array of independent nodes;”
Ser. No. 11/675, 224, filed Feb. 15, 2007, titled “Method for improving mean time to data loss (MTDL) in a fixed content distributed data storage;” and
Ser. No. 11/936,317, filed Nov. 7, 2007, titled “Fast primary cluster recovery.”
The subject matter herein includes material that is subject to copyright, and all such rights are reserved.BACKGROUND OF THE INVENTION
1. Technical Field
The present invention relates generally to techniques for highly available, reliable, and persistent data storage in a distributed computer network.
2. Description of the Related Art
A need has developed for the archival storage of “fixed content” in a highly available, reliable and persistent manner that replaces or supplements traditional tape and optical storage solutions. The term “fixed content” typically refers to any type of digital information that is expected to be retained without change for reference or other purposes. Examples of such fixed content include, among many others, e-mail, documents, diagnostic images, check images, voice recordings, film and video, and the like. The traditional Redundant Array of Independent Nodes (RAIN) storage approach has emerged as the architecture of choice for creating large online archives for the storage of such fixed content information assets. By allowing nodes to join and exit from a cluster as needed, RAIN architectures insulate a storage cluster from the failure of one or more nodes. By replicating data on multiple nodes, RAIN-type archives can automatically compensate for node failure or removal. Typically, RAIN systems are largely delivered as hardware appliances designed from identical components within a closed system.BRIEF SUMMARY
A content platform (or “cluster”) that comprises a redundant array of independent nodes is logically partitioned. Using a web-based interface, an administrator defines one or more “tenants” within the archive cluster, wherein a tenant has a set of attributes: namespaces, administrative accounts, data access accounts, and a permission mask. A namespace is a logical partition of the cluster that serves as a collection of objects typically associated with at least one defined application. Each namespace has a private file system with respect to other namespaces. This approach enables a user to segregate cluster data into logical partitions. Using the administrative interface, a namespace associated with a given tenant is selectively configured without affecting a configuration of at least one other namespace in the set of namespaces. One configuration option is “versioning,” by which an administrator can elect to enable multiple versions of a same data object to be stored in association with a given namespace. Each version of the data object has associated therewith a time of storage attribute that uniquely identifies the version in the archive. Once versioning is enabled for a namespace, the administrator can set a configuration parameter identifying a time period for maintaining a version in the archive cluster, as well as a parameter for a time period for maintaining a version of the data object on a replica associated with the archive cluster. A current version of the data object is freely accessible in the archive, and a prior version may be browsed via an API or a command line interface (CLI). Preferably, versioning is disabled for a data object under retention.
The foregoing has outlined some of the more pertinent features of the invention. These features should be construed to be merely illustrative. Many other beneficial results can be attained by applying the disclosed invention in a different manner or by modifying the invention as will be described.
It is known to provide a scalable disk-based archival storage management system, preferably a system architecture based on a redundant array of independent nodes. The nodes may comprise different hardware and thus may be considered “heterogeneous.” A node typically has access to one or more storage disks, which may be actual physical storage disks, or virtual storage disks, as in a storage area network (SAN). The archive cluster application (and, optionally, the underlying operating system on which that application executes) that is supported on each node may be the same or substantially the same. In one illustrative embodiment, the software stack (which may include the operating system) on each node is symmetric, whereas the hardware may be heterogeneous. Using the system, as illustrated in
As described in U.S. Pat. No. 7,155,466, a distributed software application executed on each node captures, preserves, manages, and retrieves digital assets. In an illustrated embodiment of
An illustrative cluster preferably comprises the following general categories of components: nodes 202, a pair of network switches 204, power distribution units (PDUs) 206, and uninterruptible power supplies (UPSs) 208. A node 202 typically comprises one or more commodity servers and contains a CPU (e.g., Intel x86, suitable random access memory (RAM), one or more hard drives (e.g., standard IDE/SATA, SCSI, or the like), and two or more network interface (NIC) cards. A typical node is a 2U rack mounted unit with a 2.4 GHz chip, 512 MB RAM, and six (6) 200 GB hard drives. This is not a limitation, however. The network switches 204 typically comprise an internal switch 205 that enable peer-to-peer communication between nodes, and an external switch 207 that allows extra-cluster access to each node. Each switch requires enough ports to handle all potential nodes in a cluster. Ethernet or GigE switches may be used for this purpose. PDUs 206 are used to power all nodes and switches, and the UPSs 208 are used to protect all nodes and switches. Although not meant to be limiting, typically a cluster is connectable to a network, such as the public Internet, an enterprise intranet, or other wide area or local area network. In an illustrative embodiment, the cluster is implemented within an enterprise environment. It may be reached, for example, by navigating through a site's corporate domain name system (DNS) name server. Thus, for example, the cluster's domain may be a new sub-domain of an existing domain. In a representative implementation, the sub-domain is delegated in the corporate DNS server to the name servers in the cluster itself. End users access the cluster using any conventional interface or access tool. Thus, for example, access to the content platform may be carried out over any protocol (REST, HTTP, FTP, NFS, AFS, SMB, a Web service, or the like), via an API, or through any other known or later-developed access method, service, program or tool.
Client applications access the cluster through one or more types of external gateways such as standard UNIX file protocols, or HTTP APIs. The archive preferably is exposed through a virtual file system that can optionally sit under any standard UNIX file protocol-oriented facility. These include: NFS, FTP, SMB/CIFS, or the like.
In one embodiment, the archive cluster application runs on a redundant array of independent nodes (H-RAIN) that are networked together (e.g., via Ethernet) as a cluster. The hardware of given nodes may be heterogeneous. For reliability, however, preferably each node runs an instance 300 of the distributed application (which may be the same instance, or substantially the same instance), which is comprised of several runtime components as now illustrated in
The gateway protocols in the gateway protocol layer 302 provide transparency to existing applications. In particular, the gateways provide native file services such as NFS 310 and SMB/CIFS 312, as well as a Web services API to build custom applications. HTTP support 314 is also provided. The access layer 304 provides access to the archive. In particular, according to the invention, a Fixed Content File System (FCFS) 316 emulates a native file system to provide full access to archive objects. FCFS gives applications direct access to the archive contents as if they were ordinary files. Preferably, archived content is rendered in its original format, while metadata is exposed as files. FCFS 316 provides conventional views of directories and permissions and routine file-level calls, so that administrators can provision fixed-content data in a way that is familiar to them. File access calls preferably are intercepted by a user-space daemon and routed to the appropriate core component (in layer 308), which dynamically creates the appropriate view to the calling application. FCFS calls preferably are constrained by archive policies to facilitate autonomous archive management. Thus, in one example, an administrator or application cannot delete an archive object whose retention period (a given policy) is still in force.
The access layer 304 preferably also includes a Web user interface (UI) 318 and an SNMP gateway 320. The Web user interface 318 preferably is implemented as an administrator console that provides interactive access to an administration engine 322 in the file transaction and administration layer 306. The administrative console 318 preferably is a password-protected, Web-based GUI that provides a dynamic view of the archive, including archive objects and individual nodes. The SNMP gateway 320 offers storage management applications easy access to the administration engine 322, enabling them to securely monitor and control cluster activity. The administration engine monitors cluster activity, including system and policy events. The file transaction and administration layer 306 also includes a request manager process 324. The request manager 324 orchestrates all requests from the external world (through the access layer 304), as well as internal requests from a policy manager 326 in the core components layer 308.
In addition to the policy manager 326, the core components also include a metadata manager 328, and one or more instances of a storage manager 330. A metadata manager 328 preferably is installed on each node. Collectively, the metadata managers in a cluster act as a distributed database, managing all archive objects. On a given node, the metadata manager 328 manages a subset of archive objects, where preferably each object maps between an external file (“EF,” the data that entered the archive for storage) and a set of internal files (each an “IF”) where the archive data is physically located. The same metadata manager 328 also manages a set of archive objects replicated from other nodes. Thus, the current state of every external file is always available to multiple metadata managers on several nodes. In the event of node failure, the metadata managers on other nodes continue to provide access to the data previously managed by the failed node. This operation is described in more detail below. The storage manager 330 provides a file system layer available to all other components in the distributed application. Preferably, it stores the data objects in a node's local file system. Each drive in a given node preferably has its own storage manager. This allows the node to remove individual drives and to optimize throughput. The storage manager 330 also provides system information, integrity checks on the data, and the ability to traverse local directory structures.
As illustrated in
In an illustrated embodiment, the application instance executes on a base operating system 336, such as Red Hat Linux 10.0. The communications middleware is any convenient distributed communication mechanism. Other components may include FUSE (Filesystem in USErspace), which may be used for the Fixed Content File System (FCFS) 316. The NFS gateway 310 may be implemented by Unfsd, which is a user space implementation of the standard nfsd Linux Kernel NFS driver. The database in each node may be implemented, for example, by PostgreSQL (also referred to herein as Postgres), which is an object-relational database management system (ORDBMS). The node may include a Web server, such as Jetty, which is a Java HTTP server and servlet container. Of course, the above mechanisms are merely illustrative.
The storage manager 330 on a given node is responsible for managing the physical storage devices. Preferably, each storage manager instance is responsible for a single root directory into which all files are placed according to its placement algorithm. Multiple storage manager instances can be running on a node at the same time, and each usually represents a different physical disk in the system. The storage manager abstracts the drive and interface technology being used from the rest of the system. When the storage manager instance is asked to write a file it generates a full path and file name for the representation for which it will be responsible. In a representative embodiment, each object to be stored on a storage manager is received as raw data to be stored, with the storage manager then adding its own metadata to the file as it stores it to keep track of different types of information. By way of example, this metadata includes: EF length (length of external file in bytes), IF Segment size (size of this piece of the Internal File), EF Protection representation (EF protection mode), IF protection role (representation of this internal file), EF Creation timestamp (external file timestamp), Signature (signature of the internal file at the time of the write (PUT), including a signature type) and EF Filename (external file filename). Storing this additional metadata with the internal file data provides for additional levels of protection. In particular, scavenging can create external file records in the database from the metadata stored in the internal files. Other services (sometimes referred to herein as “policies”) can validate internal file hash against the internal file to validate that the internal file remains intact.
As noted above, internal files preferably are the “chunks” of data representing a portion of the original “file” in the archive object, and preferably they are placed on different nodes to achieve striping and protection blocks. Typically, one external file entry is present in a metadata manager for each archive object, while there may be many internal file entries for each external file entry. Typically, internal file layout depends on the system. In a given implementation, the actual physical format of this data on disk is stored in a series of variable length records.
The request manager 324 is responsible for executing the set of operations needed to perform archive actions by interacting with other components within the system. The request manager supports many simultaneous actions of different types, is able to roll-back any failed transactions, and supports transactions that can take a long time to execute. The request manager also ensures that read/write operations in the archive are handled properly and guarantees all requests are in a known state at all times. It also provides transaction control for coordinating multiple read/write operations across nodes to satisfy a given client request. In addition, the request manager caches metadata manager entries for recently used files and provides buffering for sessions as well as data blocks.
A cluster's primary responsibility is to store an unlimited number of files on disk reliably. A given node may be thought of as being “unreliable,” in the sense that it may be unreachable or otherwise unavailable for any reason. A collection of such potentially unreliable nodes collaborate to create reliable and highly available storage. Generally, there are two types of information that need to be stored: the files themselves and the metadata about the files.
A content platform such as described above may implement a data protection level (DPL) scheme such as described in Ser. No. 11/675,224, filed Feb. 15, 2007, the disclosure of which is incorporated by reference.
The content platform also may implement a replication scheme such as described in Ser. No. 11/936,317, filed Nov. 7, 2007, the disclosure of which is incorporated by reference.
The above is a description of a known content platform or “cluster.” The following describes how an enterprise (or other entity, such as a service provider) can partition such a cluster and use the cluster resources more effectively as the amount of user data to be stored increases.Cluster Partitioning—Tenants and Namespaces
The following terminology applies to the subject matter that is now described:
Data Account (DA): an authenticated account that provides access to one or more namespaces. The account has a separate set of CRUD (create, read, update, and delete) privileges for each namespace that it can access.
Namespace (NS): a logical partition of the cluster. A namespace essentially serves as a collection of objects particular to at least one defined application. As will be described, each namespace has a private filesystem with respect to other namespaces. Moreover, access to one namespace does not grant a user access to another namespace. An archive may have an upper bound on the number of namespaces allowed on a single cluster (e.g., up to 100).
Authenticated Namespace (ANS): a namespace (preferably HTTP-only) that requires authenticated data access.
Default Namespace (dNS): a namespace for use with data that is ingested into the cluster in other than REST (Representational State Transfer), where REST is a lightweight protocol commonly used for exchanging structured data and type information on the Web. Further, even if an application uses the REST interface, if a namespace is not specified during authentication to the cluster, all data can be stored in the default namespace.
Tenant: a grouping of namespace(s) and possibly other subtenants.
Top-Level Tenant (TLT): a tenant which has no parent tenant, e.g. an enterprise.
Subtenant: a tenant whose parent is another tenant; e.g. the enterprise's financing department.
Default Tenant: the top-level tenant that contains only the default namespace.
Cluster: a physical archive instance, such as described above.
When the cluster is freshly installed, it contains no tenants. Cluster administrators create top-level tenants and administrative accounts associated with those top-level tenants, as well as enable the default tenant and default namespace.
At a macro level, all namespaces can be considered as the same or substantially the same entities with the same qualities and capabilities. Generally, and as will be seen, a namespace has a set of associated capabilities that may be enabled or disabled as determined by an appropriately credentialed administrator. A single namespace can host one or more applications, although preferably a namespace is associated with just one defined application (although this is not a limitation). A namespace typically has one or more of the following set of associated capabilities that a namespace administrator can choose to enable or disable for a given data account: read (r)—includes reading files, directory listings, and exists/HEAD operations; write (w); delete (d); purge (p)—allows one to purge all versions of a file; privileged (P)—allows for privileged delete and privileged purge; and search (s).
Using namespaces, and as illustrated generally in
One of ordinary skill in the art will appreciate that a tenant is a logical archive as viewed by an administrator. As shown in
A tenant preferably has a set of attributes: namespaces, administrative accounts, data access accounts, permission mask, roll-up of state, name, and quotas. A tenant may contain zero or more namespaces. A tenant will have a set of administrative accounts (such as account 412) that enable users to monitor and update attributes of the tenant. The data access accounts are the set of accounts which access namespace objects. A permission mask (r/w/d/p/P/s) is the set of permissions global to the tenant and that mask a namespace's permissions. The roll-up of state are the metrics on all namespaces within the tenant. The name of the tenant is settable and changeable by an appropriate administrator. Tenant names within the same cluster must not collide. A top level tenant preferably is assigned a hard storage quota by the administrator. The appropriate admin can lower or raise that quota, and he or she can assign as much quota as desired. The TLT can also specify a soft quota, which is a given percentage of the hard quota. A tenant is able to divide its quota among one or more namespaces, but the total assigned quota may not exceed that of the tenant. For accounting purposes, preferably the quota will measure the rounded up size of an ingested file to the nearest block size. A soft quota is typically a predetermined percentage (e.g., 85%) of a hard quota, but this value may be configurable. Once the hard quota is exceeded, no further writes are allowed, although in-progress writes preferably are not blocked. It may be acceptable to have a delay between exceeding a quota and having future writes blocked. Preferably, quotas are replicated but cannot be changed. When a replica becomes writable, the quota is enforced there as well.
A tenant administrator also has a set of roles that include one or more of the following: a monitor role, an administrator role, a security role, and a compliance role. A monitor role is a read-only version of an administrator role. The administrator role is the primary role associated with a tenant. As described and illustrated above, this role allows an admin user to create namespaces under the current tenant, and it provides a view of all namespaces within this tenant (and associated statistics such as file counts, space available, space used, etc.). The administrator also can view tenant and namespace logs, and he or she can view/update tenant and namespace configuration. The security role gives a user the ability to create/modify/delete new administrative users. A user with the security role can add and delete roles from other tenant-level administrative accounts. When the tenant is first created, preferably there is one administrative user associated with the tenant, and this user account has just the security role. The compliance role enables privileged delete and retention class functions (as defined below).
A namespace is a logical archive as viewed by an application. According to the subject matter herein, a particular namespace is distinct from a different namespace, and access to one namespace does not grant a user access to another namespace. Preferably, administration of a namespace is performed at the owning tenant level. Moreover, preferably a namespace may only be deleted if a count of objects associated with that namespace is zero. A namespace preferably also has the following attributes: permission mask, initial settings, other settings, display name, quota, logs, and stats. As noted above, the permission mask (r/w/d/p/P/s) is the set of settings global to the namespace and which mask an account's permissions. The initial settings identify a data protection level (DPL), a hashing scheme, and the like, that preferably remain persistent. The other settings refer to settings (such as retention, shred, versioning, indexing, and the like) that can be set on the namespace and then later changed. This feature is described in more detail below. The display name is a name or other identifier for the namespace. The quota is either hard (in GB) or soft (in percent). The logs attribute identifies the system events related to the namespace that will be logged. The stats attribute identifies the statistics that are generated from namespace-related data, such as capacity, number of objects, and the like.
Preferably, tenant names and namespace names are human readable identifiers in the various administrative user interfaces (UIs). Preferably, these names also are used in hostnames to specify the namespace of a data access request, the tenant which an administrator is administrating, and the scope over which a search should be confined. The namespace name is useful because a tenant may have more than one namespace associated with it. Preferably, object access over HTTP uses a hostname in the form of:
These names comply with conventional domain name system (DNS) standards. As noted above, tenant names on a cluster must not collide.
The following provides additional details of a tenant administrative user interface (UI) and the associated functionality provided by that interface. Preferably, the tenant UI is implemented as a Web-based user interface (such as the interface 318 in
As seen in
By selecting the Create Namespace container title bar, the Create Namespace container 700 expands as shown in
Referring back to
If the user selects the Policies tab 812 from the Namespace Overview container 800, a Policies page is displayed from which the user can then configure one or more policies for the particular namespace. In
Another configurable policy is versioning.
The following provides additional details regarding versioning. As noted above, if versioning is enabled, the archive can store multiple versions of the same object in the archive. An object version consists of a file, its associated data, metadata, and custom metadata. Preferably, versions apply to data objects only and not to directories or symbolic links, although this is not a limitation. A version is data, metadata and custom metadata. Preferably, metadata changes are made in place on a current version and do not create new versions. Versions are unique objects that are linked to each other in the manner described below. A version is deleted by a prune operation, which is an operation that deletes all version of a particular object before a given time. An operation that deletes all versions (current and previous) of a particular object is a purge. As illustrated in
As noted above, within the archive each object maps between an external file (“EF,” the data that entered the archive for storage) and a set of internal files (each an “IF”) where the archive data is physically located. As used herein, a version is an external file (EF) and is treated as any other file object in the system. External files are maintained using an external_file database table. With versioning enabled for a given namespace, multiple versions of the same object may be kept in the archive. In particular, a version is identified by a version identifier (version_id), which is added to ExternalFileBinaryName, which identifies unique rows in the external_file database table. Preferably, version expiration time is configured at the namespace level, and configuration information need not be maintained per object.
To create the version identifier, a time value encoded in milliseconds as a 64 bit value is shifted (e.g., left shifted) a given number of (e.g., 6) bits, and the extra bits are used to further disambiguate events that occur in the same millisecond. The additional bits are assigned by a manager process to disambiguate times. The version_id is a unique key to a particular version of a file. It is assigned at the time of version creation, using the time encoding as defined above. A version_id value is stored in a version_id column of the external_file database table. Once a version becomes historical, its change_time is effectively read-only so that versions can be sorted. In this manner, a given version includes or has associated therewith a “time of storage.” Thus, after versioning is enabled in the namespace, multiple versions of the same data object may then be stored in the archive, and each version has associated therewith a “time of storage” attribute that at least in part uniquely identifies the version.
To support the creation, deletion and purging of versions, the external_file database table is augmented to include the concept of EF (ExternalFile) row types. Preferably, the row types are encoded in a given number of (e.g., 2) bits in an ExternalFile Flags column, with “00” meaning create, “10” meaning delete, “11” meaning purge and “01” being unused. On create, delete or purge operations, a new row is inserted into the external_file database table with a new version_id and change_time. Preferably, all versions for a file are stored in the same table in the same region. Because there is a new change_time index, external_file thus is partitioned into two sections, a “current version” and a “history” segment. This partition is based on what time the metadata manager component queries are using. In addition, ExternalFileBinaryName is updated to include version_id. This value is then used by a metadata manager component to denote which version to operate on.
The following sections describe EF lifecycle changes when versioning is implemented. A create for a file cause a new version row, with a newly-assigned version_id, to be inserted into the external_file database table. A delete for a file inserts a new delete version into the external_file table with a new change_time and version_id. On a purge, a purge record is inserted into the external_file table and all previous versions in that table are marked as “garbage.” Setting a retention hold updates a current version's row in the external_file table and sets a hold bit for each version record of the object in external_file. The change_time is updated for the current version but not for previous versions in the table. Preferably, the change_time cannot be modified for previous versions (to preserve the version_id ordering). Updating the change_time of the current version enable replication to send the held record to a replica, where it can apply the same logic.
Preferably, functions on object versions are supported through HTTP, using an HTTP API that supports several functions for versions: Create—creates a new version, List—lists available versions; Read—reads a particular version's data, metadata or custom metadata, and Purge—an operation to delete all versions of the file; optionally, a privileged purge can be triggered. A new version may be created by overwriting an existing object in the archive through HTTP, but only in the namespace in which versioning is enabled. On an HTTP PUT, the previous object's data, metadata and custom metadata are locked and are considered an historical version. On a successful HTTP PUT, the version identifier associated with the new object is returned in an HTTP header. As noted above, the version identifier and full path to the object is a unique key to this particular version of the object. Preferably, metadata and custom metadata of an object are inherited on version creation. If desired, HTTP PUT parameters can be used to overwrite inheritance. An HTML GET request with the List attribute returns an XML-based listing of the object versions. When versioning is enabled, a delete request creates a new deleted version. The previous version is still browsable through the HTTP gateway. This allows a user to read a previous version (as long as it has not been pruned or purged) in the case of an accidental delete. To delete all versions of an object, the HTTP DELETE is used with purge set to true. The purge operation works only on objects for which the current version is not under retention. When the current version of an object is under retention and privileged delete (as described in more detail below) is available on the cluster, a privileged purge method is available.
The following are some additional details regarding versions. Old versions may be pruned (e.g., by a garbage collection policy) periodically based on age. If an object is under litigation hold, for example, the version is ineligible for deletion, however. A search preferably indexes only the current version of a file, and previous versions of files are not indexed. Preferably, all operations to files and versions are replicated from the primary cluster to a replica. This includes the data of each version, purge/delete operations, and all metadata updates (including retention hold updates). Preferably, the most recent version (operation) of a particular file that has been replicated to the replica is visible as current on the replica. Finally, once an object is under retention, preferably no new versions of it can be stored. As noted above, setting retention on the current version of an object preferably prevents deletion of only the current version, and garbage collection is free to prune away older versions, as noted above. Setting a retention hold on the current version, however, prevents pruning of all versions. The hold state is replicated, which also prevent pruning on the replica.
Through the above-described functionality, the system enables the creation and management of multiple versions of objects stored in the archive. Object versions comprise data, metadata, and custom metadata, and a new object version is created when data changes. A current version of an object is accessible through all available protocols used in the archive, and historical versions can be browsed, e.g., using simple HTTP requests. Versioning is enabled or disabled using the administrator console at the level of a namespace, and an administrator can configure the period during which older versions are to be kept. If replication is enabled, the administrator can also configure the period during which older versions are maintained on the replica. Preferably, the system also provides versioning metrics for each namespace. Further, object versions under retention preferably cannot be versioned or deleted.
Returning to the description of the administrator console, if the user selects the Services tab 814 for the Namespace, one or more service options may be configured. One such service option is disposition, which enables automatic deletion of objects with expired retention. The disposition services option is enabled through a panel 1100 that includes a checkbox 1102, which is selected to enable the option for the particular namespace. The user selects the Update Services button 1104 to complete the configuration. Thus, according to the configuration option, once the configured retention identified in the retention class expires, the objects are automatically deleted from the cluster. This operation is advantageous as it enables the cluster to reclaim storage space. The disposition, however, is on a namespace-by-namespace basis, which is highly desirable and provides increased management flexibility.
If the user select the Compliance tab 816 for the Namespace, one or more compliance options may be configured. In
Another configurable option in the Compliance tab 816 for the Namespace is the option to configure one or more Retention Classes. A Retention Class is a defined grouping of objects that are to be subject to the same retention configuration. When the user navigates to the Retention Classes tab, a set of previously-defined Retention Classes and their offsets are displayed and can be selected for review. To add a new retention class, the user selects a title bar, which opens up the container 1300 shown in
Although not illustrated in detail, the other display panels expose other configuration options that may be used to configure operations and functions on a namespace-specific basis. Thus, Protocols tab 818 enables the administrator to manage protocol settings, such as enabling HTTP, HTTPS, and to create white/block lists of IP addresses. The Monitoring tab 820 enables the administrator to identify or review system log messages that are specific to the namespace, to review object status, and to illustrate privileged delete and retention class activities.
The administrator can also create and manage data access accounts from pages in the console and have these configuration settings applied to all namespaces for which the tenant is current logged into. For each such data access account, the administrator can associate the desired access rights (e.g., read, write, delete, purge, search, etc.) that will be afforded the individual.
If the namespace is authenticated, the following additional controls may be imposed. Preferably, access to archive objects in an authenticated namespace is carried out through HTTP and subject to valid credentials. A client must supply these credentials to the cluster, typically using Cookie and Host headers on each HTTP operation. The necessary information required to map a client request to a specific data access account in a namespace includes username, password, and a fully qualified namespace name (FQNN). The FQNN identifies the namespace within a tenant hierarchy, and it based on the namespace name, the tenant name, and a tenant's parent name (if any). REST access methods preferably are used for object actions (object ingestion, object retrieval, object existence checks, object deletion, object purge, directory listing, and directory creation), and metadata actions (set retention, set legal hold, set shred on delete, set/get/delete custom metadata, get all metadata). As is known, REST (Representational State Transfer) is a lightweight protocol commonly used for exchanging structured data and type information on the Web. Transport layer security mechanisms, such as HTTP over TLS (Transport Layer Security), may be used to secure messages between two adjacent nodes. Familiarity with these technologies and standards is presumed.
Thus, e.g., an HTTP DELETE request is used to delete a data object or empty data directory from a namespace. If versioning is enabled for the namespace, this method deletes the most current version of a data object, or it can purge all versions of an object. If a data account has the compliance permission enabled, this method may privilege delete or privilege purge an object under retention, as described above. The HTTP DELETE request preferably supports a set of metadata parameters such as: purge (true/false), which controls whether to delete all versions (if the object is versioned); privileged (true/false), which controls whether this is a privileged delete or privileged purge of an object under retention, and reason, which is set to true (if privileged) and provides an HTTP 400 error (if not).
By partitioning the UI into cluster and tenant-focused pieces, different people can perform cluster and tenant management. This ensures that privacy between the cluster admin and tenant admin views, ensures that the tenant does not have access to hardware or other details that may “break” the cluster, and protects the privacy of tenant data.
The subject matter described herein provides numerous advantages. Using the namespaces approach described, an entity (such as an enterprise operating the archive) can more easily segregate and manage its data. The approach enables the administrator to perform cluster operations on select subsets of the total cluster data set, as well as the ability to perform metering operations (e.g., capacity reporting) at a more finer granularity. The ability to partition the cluster in the manner described provides significant operational, management and administrative efficiencies, as the ever-increasing (e.g., petabyte scale) data would be difficult to manage otherwise.
The described subject matter enables different administrators to perform cluster and tenant management, and to minimize the information that passes between these two areas.
The subject matter is not limited to any particular type of use case. A typical use environment is an enterprise, although the techniques may be implemented by a storage service provider or an entity that operates a storage cloud.
The techniques described herein, wherein users associated with a tenant (such as a TLT) have access privileges created and managed as set forth above may be extended and used in other than an archive cluster for fixed content. Thus, for example, these techniques may also be implemented in the context of a standard virtualization approach for a storage management system.
While the above describes a particular order of operations performed by certain embodiments of the invention, it should be understood that such order is exemplary, as alternative embodiments may perform the operations in a different order, combine certain operations, overlap certain operations, or the like. References in the specification to a given embodiment indicate that the embodiment described may include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic.
While the present invention has been described in the context of a method or process, the present invention also relates to apparatus for performing the operations herein. This apparatus may be specially constructed for the required purposes, or it may comprise a general-purpose computer selectively activated or reconfigured by a computer program stored in the computer. Such a computer program may be stored in a computer readable storage medium, such as, but is not limited to, any type of disk including optical disks, CD-ROMs, and magnetic-optical disks, read-only memories (ROMs), random access memories (RAMs), magnetic or optical cards, or any type of media suitable for storing electronic instructions, and each coupled to a computer system bus.
While given components of the system have been described separately, one of ordinary skill will appreciate that some of the functions may be combined or shared in given instructions, program sequences, code portions, and the like.
As used herein, the word “location” is not necessarily limited to a “geographic” location. While clusters are typically separated geographically, this is not a requirement. A primary cluster may be located in one data center in a city, while the replica cluster is located in another data center in the same center. The two clusters may also be in different locations within a single data center.
Although the present invention has been described in the context of an archive for “fixed content,” this is not a limitation either. The techniques described herein may be applied equally to storage systems that allow append and replace type modifications to the content.
1. A method of operating a physical archive cluster instance, the cluster instance comprising a redundant array of independent nodes, wherein each node comprises a processor, a data store coupled to the processor, and a local file system, and an application instance stored in the data store and executed by the processor, the method comprising:
- logically partitioning the archive cluster into a set of one or more namespaces, wherein a namespace comprises a collection of data objects and has a configuration parameter associated therewith;
- enabling versioning at a given namespace of the set of one or more namespaces; and
- for the given namespace that has been enabled for version, storing multiple versions of a data object, wherein each version of the multiple versions has associated therewith a time of storage attribute that uniquely identifies the version.
2. The method as described in claim 1 wherein the multiple versions of the data object are stored in a same region of the archive cluster instance.
3. The method as described in claim 1 further including associating one or more tenants with the archive cluster, wherein one or more namespaces are associated with a given tenant.
4. The method as described in claim 1 wherein the collection of objects is associated with a particular application.
5. The method as described in claim 1 wherein the step of enabling versioning further includes setting the configuration parameter identifying a time period for maintaining a version in the archive cluster.
6. The method as described in claim 5 wherein the step of enabling versioning further including setting a second configuration parameter identifying a time period for maintaining a version of the data object on a replica associated with the archive cluster.
7. The method as described in claim 1 wherein a new version of the data object is created upon ingestion into the namespace of another data object having a same file name as the data object.
8. The method as described in claim 1 further including providing an application programming interface (API) through which one or more functions are applied against a prior version of the data object.
9. The method as described in claim 8 wherein the one or more functions enable a prior version of the data object to be reviewed.
10. The method as described in claim 1 further including disabling versioning for a data object under retention or hold.
11. A method of operating a physical archive cluster instance, the cluster instance comprising a redundant array of independent nodes, wherein each node comprises a processor, a data store coupled to the processor, and a local file system, and an application instance stored in the data store and executed by the processor, the method comprising:
- logically partitioning the archive cluster into a set of namespaces, wherein each namespace of the set of namespaces comprises a set of data objects, and each namespace is managed independently with respect to any other namespace in the set of namespaces; and
- storing multiple versions of a data object in association with a given namespace in the set of namespaces, wherein each version of the multiple versions has associated therewith a time-based version identifier that uniquely identifies the version in the archive cluster.
12. The method as described in claim 11 wherein the multiple versions of the data object are stored in a same region of the archive cluster instance.
13. The method as described in claim 11 further including associating one or more tenants with the archive cluster, wherein one or more namespaces are associated with a given tenant.
14. The method as described in claim 11 wherein the collection of objects is associated with a particular application.
15. The method as described in claim 11 further including identifying a time period for maintaining a version in the archive cluster.
16. The method as described in claim 15 further including identifying a time period for maintaining a version of the data object on a replica associated with the archive cluster.
17. The method as described in claim 11 wherein a new version of the data object is created upon ingestion into the namespace of another data object having a same file name as the data object.
18. The method as described in claim 1 further including providing an application programming interface (API) through which one or more functions are applied against a prior version of the data object.
19. The method as described in claim 18 wherein the one or more functions enable a prior version of the data object to be reviewed.
20. The method as described in claim 1 further including disabling versioning for a data object under retention or hold.
Filed: Oct 30, 2009
Publication Date: May 5, 2011
Patent Grant number: 8566290
Inventors: Matthew M. McDonald (Quincy, MA), Vitaly Zolotusky (Acton, MA), Benjamin J. Isherwood (Tewksbury, MA), Christopher S. Lacasse (Grafton, MA), Jack A. Orenstein (Needham, MA)
Application Number: 12/609,770
International Classification: G06F 17/30 (20060101); G06F 9/46 (20060101);